| Situation |
You want to route your Google Workspace emails internally. |
|---|---|
| Solution |
This will guide you to setup internal mail routing. |
Configure Internal Mail Routing
- Sign-In to the Google Admin console.
- From the dashboard go to Apps > Google Workspace > Gmail > Spam, phishing, and malware
- Hover the cursor to the right of Inbound gateway and click on the pencil icon.
- Under Gateway IPs, enter these IP addresses, as well as these Google IP addresses:
| · 35.190.247.0/24 · 64.233.160.0/19 · 66.102.0.0/20 · 66.249.80.0/20 · 72.14.192.0/18 · 74.125.0.0/16 · 108.177.8.0/21 · 173.194.0.0/16 · 209.85.128.0/17 |
· 216.58.192.0/19 · 216.239.32.0/19 · 172.217.0.0/19 · 172.217.32.0/20 · 172.217.128.0/19 · 172.217.160.0/20 · 172.217.192.0/19 · 172.253.56.0/21 · 172.253.112.0/20 |
· 108.177.96.0/19 · 35.191.0.0/16 · 130.211.0.0/22 · 2001:4860:4000::/36 · 2404:6800:4000::/36 · 2607:f8b0:4000::/36 · 2800:3f0:4000::/36 · 2a00:1450:4000::/36 · 2c0f:fb50:4000::/36 |
5. Check Automatically detect external IP.
|
When this setting is enabled, Gmail scans the message header to locate the first occurrence of an IP address that is not listed in the Gateway IPs. This is referred to as the “external IP.” Gmail considers the “external IP” as the sending IP and uses this IP for SPF checks and spam evaluation. |
|---|
6. Check Reject all mail not coming from gateway IPs.
7. Check Require TLS for connection from the email gateways listed above.
8. Click Save and then Enable the Inbound Gateway. 
There have been instances where Google has blocked it's own IP addresses from delivering. In this case, their only solution that they have provided is to uncheck the box that says "Reject all mail not from gateway IPs"
If you do uncheck this box, your mail server is not locked down to only accept external mail from Proofpoint IP's. It is possible for senders to route directly to your mail system instead of following normal MX lookups to route through Proofpoint.
The error received is similar to this:
Google tried to deliver your message, but it was rejected by the relay <a href="http://aspmx.l.google.com" target="_blank">aspmx.l.google.com</a> [Google IP]. We recommend contacting the other email provider at <a href="mailto:postmaster@aspmx.l.google.com" target="_blank">postmaster@aspmx.l.google.com</a> for further information about the cause of this error. The error that the other server returned was: 421 4.7.0 IP not in whitelist for RCPT domain, closing connection. 39si990106uak.192 - gsmtp
CONFIGURE INTERNAL ROUTING
- Navigate to Apps > Google Workspace > Gmail > Hosts.
- Select Add Route.
- For Name, enter Internal Google Workspace, for single host, enter aspmx.l.google.com and then, in the second field, enter 25.
- Make sure that the option Perform MX lookup on host is NOT checked, and that the following options are checked:
- Require mail to be transmitted via a secure connection,
- Require CA signed certificate
- Validate certificate hostname are checked, then press Save.
- Click Settings for Gmail in the upper left again, then click Routing.
- Scroll down to Routing, and then click Configure.
- Enter a description at the top, e.g. Internal Routing.
- Under Messages to affect, check the box that says Internal Sending.
- Scroll down, and under Route, check Change route, and then change the default dropdown from Normal Routing to Internal Google Workspace.
- Scroll down and select Show options. The screen expands.
- Under B. Account types to affect, check both Users and Groups
- Under C. Envelope Filter, check Only affect specific envelope senders and then change the dropdown from "Single email address" to Pattern Match
- Under Regexp, enter your domain e.g. domain.com
- Click SAVE.
Please Note: When configured as per the instructions above, internal to internal email stays within Google Workspace and is NOT scanned for Spam by Proofpoint Essentials.
Carlos Rios
Comments